T1037

Boot or Logon Initialization Scripts

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. On Windows, logon scripts can be set via the UserInitMprLogonScript registry value under HKCU\Environment, or via Group Policy. On Linux and macOS, adversaries target RC scripts (/etc/rc.d/, /etc/init.d/, /etc/rc.local), systemd unit files, login hooks, and startup items. These mechanisms execute with elevated privileges and survive reboots, making them effective persistence mechanisms. Threat groups including APT41, APT29, Rocke, and UNC3886 have all leveraged initialization script abuse, targeting both enterprise endpoints and network appliances.

Microsoft Sentinel / Defender

kusto

let WindowsLogonScriptKeys = dynamic([
  "UserInitMprLogonScript",
  "\\Environment\\UserInitMprLogonScript"
]);
let LinuxInitPaths = dynamic([
  "/etc/rc.d/", "/etc/init.d/", "/etc/rc.local", "/etc/init/",
  "/etc/rc0.d/", "/etc/rc1.d/", "/etc/rc2.d/", "/etc/rc3.d/",
  "/etc/rc4.d/", "/etc/rc5.d/", "/etc/rc6.d/"
]);
let SuspiciousExtensions = dynamic([".sh", ".py", ".pl", ".rb", ".bash"]);
// Branch 1: Windows registry-based logon scripts
let WindowsLogonScript = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has "\\Environment" and RegistryValueName =~ "UserInitMprLogonScript"
| extend DetectionBranch = "Windows-LogonScript-Registry"
| extend Detail = strcat("Key: ", RegistryKey, " | Value: ", RegistryValueData)
| project Timestamp, DeviceName, AccountName, ActionType, RegistryKey,
          RegistryValueName, RegistryValueData, InitiatingProcessFileName,
          InitiatingProcessCommandLine, DetectionBranch, Detail;
// Branch 2: Suspicious file writes into Windows Startup / logon script paths
let WindowsStartupFile = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (
    "\\Windows\\System32\\GroupPolicy",
    "\\Windows\\SysWOW64\\GroupPolicy",
    "SYSVOL",
    "\\netlogon\\"
  )
| where FileName has_any (".bat", ".cmd", ".vbs", ".ps1", ".js", ".wsf")
| extend DetectionBranch = "Windows-StartupScript-FileCreate"
| extend Detail = strcat("File: ", FolderPath, "\\", FileName)
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          ActionType, RegistryKey="", RegistryValueName="", RegistryValueData="",
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, Detail;
// Branch 3: Linux/macOS init script file creation (via Syslog/AuditLogs)
let LinuxInitScript = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (LinuxInitPaths)
| extend DetectionBranch = "Linux-InitScript-FileCreate"
| extend Detail = strcat("File: ", FolderPath, "/", FileName)
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
          ActionType, RegistryKey="", RegistryValueName="", RegistryValueData="",
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, Detail;
// Branch 4: macOS login hook configuration via 'defaults write'
let MacOSLoginHook = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "defaults"
| where ProcessCommandLine has "LoginHook" or ProcessCommandLine has "LogoutHook"
| extend DetectionBranch = "macOS-LoginHook-Configured"
| extend Detail = ProcessCommandLine
| project Timestamp, DeviceName, AccountName,
          ActionType="ProcessCreate", RegistryKey="", RegistryValueName="", RegistryValueData="",
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionBranch, Detail;
union WindowsLogonScript, WindowsStartupFile, LinuxInitScript, MacOSLoginHook
| sort by Timestamp desc

high severity medium confidence

Data Sources

Registry: Registry Key Modification File: File Creation File: File Modification Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceFileEvents DeviceProcessEvents

False Positives

Group Policy administrators deploying legitimate logon scripts via SYSVOL/NETLOGON shares during policy updates
Configuration management tools (Ansible, Chef, Puppet, SCCM) writing startup scripts to managed endpoints as part of authorized deployments
Linux package managers (apt, yum, dnf, rpm) creating init.d service scripts when installing server software (nginx, apache, mysql)
System administrators manually configuring logon scripts for mapped drives, printer connections, or environment variable setup
macOS enterprise MDM solutions (Jamf, Mosyle) configuring LoginHooks for device enrollment or management tasks

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
  | eval TargetObject=coalesce(TargetObject, RegistryPath)
  | where match(TargetObject, "(?i)\\Environment\\UserInitMprLogonScript")
  | eval DetectionBranch="Windows-LogonScript-Registry"
  | eval Detail=TargetObject
  | table _time, host, User, TargetObject, Details, Image, CommandLine, DetectionBranch, Detail
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  | where match(TargetFilename, "(?i)(\\\\GroupPolicy\\\\|\\\\SYSVOL\\\\|\\\\netlogon\\\\)")
    AND match(TargetFilename, "(?i)\.(bat|cmd|vbs|ps1|js|wsf)$")
  | eval DetectionBranch="Windows-StartupScript-FileCreate"
  | eval Detail=TargetFilename
  | table _time, host, User, TargetFilename, Image, CommandLine, DetectionBranch, Detail
]
[
  search index=linux sourcetype=syslog
    ("init.d" OR "rc.local" OR "rc.d" OR "/etc/init/")
    ("chmod" OR "cp" OR "mv" OR "echo" OR "tee" OR "install")
  | rex field=_raw "(?P<action>chmod|cp|mv|echo|tee|install)\s+.*(?P<path>/etc/(rc\.d|init\.d|init|rc\.local)[^\s]*)"
  | where isnotnull(path)
  | eval DetectionBranch="Linux-InitScript-Activity"
  | eval Detail=path
  | table _time, host, path, action, _raw, DetectionBranch, Detail
]
[
  search index=linux sourcetype="linux_auditd"
    (key="persistence" OR syscall=rename OR syscall=write OR syscall=open)
    (name="/etc/init.d*" OR name="/etc/rc.d*" OR name="/etc/rc.local" OR name="/etc/init/*")
  | eval DetectionBranch="Linux-AuditD-InitScript"
  | eval Detail=name
  | table _time, host, auid, uid, name, syscall, exe, DetectionBranch, Detail
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    Image="*/defaults" CommandLine="*LoginHook*"
  | eval DetectionBranch="macOS-LoginHook-Configured"
  | eval Detail=CommandLine
  | table _time, host, User, Image, CommandLine, ParentImage, DetectionBranch, Detail
]
| sort - _time

high severity medium confidence

Data Sources

Registry: Registry Key Modification File: File Creation Process: Process Creation Sysmon Event ID 13 Sysmon Event ID 11 Sysmon Event ID 1 Linux auditd Linux syslog

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_auditd syslog

False Positives

Group Policy administrators deploying legitimate logon scripts via SYSVOL/NETLOGON shares during policy updates
Configuration management tools (Ansible, Chef, Puppet, SCCM) writing startup scripts to managed endpoints as part of authorized deployments
Linux package managers (apt, yum, dnf, rpm) creating init.d service scripts when installing server software
System administrators manually configuring logon scripts for mapped drives, printer connections, or environment variable setup
macOS enterprise MDM solutions (Jamf, Mosyle) configuring LoginHooks for device enrollment or management tasks

Elastic Security (EQL)

eql

any where
  (
    // Branch 1: Windows registry-based logon script persistence
    (event.category == "registry" and event.type in ("creation", "change") and
     registry.path : ("*\\Environment\\UserInitMprLogonScript*", "*UserInitMprLogonScript*"))
    or
    // Branch 2: Script file written to Windows Group Policy / SYSVOL / netlogon paths
    (event.category == "file" and event.type in ("creation", "change") and
     file.path : ("*\\GroupPolicy\\*", "*\\SYSVOL\\*", "*\\netlogon\\*") and
     file.extension in ("bat", "cmd", "vbs", "ps1", "js", "wsf"))
    or
    // Branch 3: Linux init script file creation or modification
    (event.category == "file" and event.type in ("creation", "change") and
     file.path : ("/etc/rc.d/*", "/etc/init.d/*", "/etc/rc.local", "/etc/init/*",
                  "/etc/rc0.d/*", "/etc/rc1.d/*", "/etc/rc2.d/*", "/etc/rc3.d/*",
                  "/etc/rc4.d/*", "/etc/rc5.d/*", "/etc/rc6.d/*"))
    or
    // Branch 4: macOS login hook configured via defaults write
    (event.category == "process" and event.type == "start" and
     process.name == "defaults" and
     process.args : ("*LoginHook*", "*LogoutHook*"))
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (endpoint agent) Auditbeat (Linux file integrity, process) Winlogbeat (Windows Sysmon, Security Event Log) Fleet-managed Elastic Agent

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.file-* logs-endpoint.events.process-* auditbeat-* winlogbeat-*

False Positives

Legitimate IT administrators setting domain logon scripts via Group Policy Object (GPO) management consoles — UserInitMprLogonScript modifications from known admin hosts should be baselined and excluded.
Configuration management platforms (Ansible, Puppet, Chef, SaltStack) that modify /etc/init.d/ or /etc/rc.d/ scripts as part of automated service deployments on Linux systems.
macOS MDM solutions such as Jamf Pro or Mosyle that configure login hooks or logout hooks for endpoint management, software deployment, or compliance enforcement.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  logsourcename(logSourceId) AS "Log Source",
  username AS "Username",
  hostname AS "Hostname",
  sourceip AS "Source IP",
  QIDNAME(qid) AS "Event Name",
  CATEGORYNAME(category) AS "Category",
  UTF8(payload) AS "Raw Payload",
  CASE
    WHEN UTF8(payload) ILIKE '%UserInitMprLogonScript%' THEN 'Windows-LogonScript-Registry'
    WHEN UTF8(payload) ILIKE '%GroupPolicy%' OR UTF8(payload) ILIKE '%SYSVOL%' OR UTF8(payload) ILIKE '%netlogon%' THEN 'Windows-StartupScript-FileCreate'
    WHEN UTF8(payload) ILIKE '%/etc/init.d%' OR UTF8(payload) ILIKE '%/etc/rc.d%' OR UTF8(payload) ILIKE '%/etc/rc.local%' OR UTF8(payload) ILIKE '%/etc/init/%' THEN 'Linux-InitScript-Activity'
    WHEN UTF8(payload) ILIKE '%LoginHook%' OR UTF8(payload) ILIKE '%LogoutHook%' THEN 'macOS-LoginHook-Configured'
    ELSE 'Unknown'
  END AS "Detection Branch"
FROM events
WHERE
  starttime > NOW() - 86400000
  AND (
    -- Branch 1: Windows registry logon script persistence
    (
      CATEGORYNAME(category) ILIKE '%registry%'
      AND UTF8(payload) ILIKE '%UserInitMprLogonScript%'
      AND UTF8(payload) ILIKE '%\Environment%'
    )
    OR
    -- Branch 2: Script file written to Group Policy / SYSVOL / netlogon
    (
      CATEGORYNAME(category) ILIKE '%file%'
      AND (
        UTF8(payload) ILIKE '%GroupPolicy%'
        OR UTF8(payload) ILIKE '%SYSVOL%'
        OR UTF8(payload) ILIKE '%netlogon%'
      )
      AND (
        UTF8(payload) ILIKE '%.bat%'
        OR UTF8(payload) ILIKE '%.cmd%'
        OR UTF8(payload) ILIKE '%.ps1%'
        OR UTF8(payload) ILIKE '%.vbs%'
        OR UTF8(payload) ILIKE '%.js%'
        OR UTF8(payload) ILIKE '%.wsf%'
      )
    )
    OR
    -- Branch 3: Linux init/rc script creation or modification
    (
      LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Universal DSM', 'Syslog')
      AND (
        UTF8(payload) ILIKE '%/etc/init.d%'
        OR UTF8(payload) ILIKE '%/etc/rc.d%'
        OR UTF8(payload) ILIKE '%/etc/rc.local%'
        OR UTF8(payload) ILIKE '%/etc/init/%'
        OR UTF8(payload) ILIKE '%/etc/rc0.d%'
        OR UTF8(payload) ILIKE '%/etc/rc1.d%'
        OR UTF8(payload) ILIKE '%/etc/rc2.d%'
        OR UTF8(payload) ILIKE '%/etc/rc3.d%'
        OR UTF8(payload) ILIKE '%/etc/rc4.d%'
        OR UTF8(payload) ILIKE '%/etc/rc5.d%'
        OR UTF8(payload) ILIKE '%/etc/rc6.d%'
      )
      AND (
        UTF8(payload) ILIKE '%chmod%'
        OR UTF8(payload) ILIKE '% cp %'
        OR UTF8(payload) ILIKE '% mv %'
        OR UTF8(payload) ILIKE '%tee %'
        OR UTF8(payload) ILIKE '%install %'
        OR UTF8(payload) ILIKE '% echo %'
      )
    )
    OR
    -- Branch 4: macOS login hook via defaults write
    (
      LOGSOURCETYPENAME(devicetype) IN ('Apple Mac OS X', 'Universal DSM', 'Syslog')
      AND (
        UTF8(payload) ILIKE '%defaults write%'
        OR UTF8(payload) ILIKE '%defaults%LoginHook%'
      )
      AND (
        UTF8(payload) ILIKE '%LoginHook%'
        OR UTF8(payload) ILIKE '%LogoutHook%'
      )
    )
  )
ORDER BY devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (via WinCollect or Sysmon) Linux OS syslog and auditd (Universal DSM or Linux OS DSM) Apple macOS syslog (Universal DSM) Sysmon for Linux

Required Tables

events

False Positives

Domain administrators legitimately modifying SYSVOL or netlogon logon scripts for Group Policy software deployment — correlate against change management tickets and known admin accounts.
Package managers (apt, yum, dnf, rpm) writing init scripts to /etc/init.d/ or /etc/rc.d/ during software installation on Linux servers — baseline package manager activity and exclude known package manager binary paths.
macOS enterprise MDM platforms (Jamf Pro, Microsoft Intune for Mac) that configure login/logout hooks for policy enforcement — whitelist known MDM agent processes and management server IP ranges.

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=linux/syslog OR _sourceCategory=linux/auditd OR _sourceCategory=macos/syslog OR _sourceCategory=endpoint*)
| where (
    // Branch 1: Sysmon EventID 13 - Registry Value Set targeting UserInitMprLogonScript
    (EventID = "13" AND TargetObject matches "(?i).*\\Environment.*UserInitMprLogonScript.*")
    OR
    // Branch 1b: Windows Security Event 4657 - Registry modification
    (EventID = "4657" AND ObjectName matches "(?i).*\\Environment.*UserInitMprLogonScript.*")
    OR
    // Branch 2: Sysmon EventID 11 - File created in GroupPolicy/SYSVOL/netlogon with script extension
    (EventID = "11" AND TargetFilename matches "(?i).*(\\GroupPolicy\\|\\SYSVOL\\|\\netlogon\\).*" AND TargetFilename matches "(?i).*\.(bat|cmd|vbs|ps1|js|wsf)$")
    OR
    // Branch 3: Linux syslog - write activity to init script directories
    (_sourceCategory matches "(?i).*linux.*" AND (
      _raw matches "(?i).*/etc/(rc\.d|init\.d|rc\.local|init/).*"
    ) AND (
      _raw matches "(?i).*(chmod|cp|mv|tee|install|echo|write).*"
    ))
    OR
    // Branch 3b: Linux auditd - syscall writes to init paths
    (_sourceCategory matches "(?i).*auditd.*" AND (
      name matches "(?i)/etc/(init\.d|rc\.d|rc\.local|init/).*"
    ) AND (
      syscall matches "(write|open|rename|truncate|creat)"
    ))
    OR
    // Branch 4: macOS defaults write LoginHook
    (process_name = "defaults" AND _raw matches "(?i).*(LoginHook|LogoutHook).*")
    OR
    // Branch 4b: Sysmon EventID 1 - macOS defaults process launch
    (EventID = "1" AND Image matches "(?i).*defaults$" AND CommandLine matches "(?i).*(LoginHook|LogoutHook).*")
  )
| eval detection_branch = if(EventID = "13" AND TargetObject matches "(?i).*UserInitMprLogonScript.*", "Windows-LogonScript-Registry",
    if(EventID = "4657" AND ObjectName matches "(?i).*UserInitMprLogonScript.*", "Windows-LogonScript-Registry",
    if(EventID = "11" AND TargetFilename matches "(?i).*(GroupPolicy|SYSVOL|netlogon).*", "Windows-StartupScript-FileCreate",
    if(_sourceCategory matches "(?i).*auditd.*", "Linux-AuditD-InitScript",
    if(_sourceCategory matches "(?i).*linux.*", "Linux-InitScript-Syslog",
    if(_raw matches "(?i).*(LoginHook|LogoutHook).*", "macOS-LoginHook-Configured", "Other"))))))
| eval indicator = if(isNull(TargetObject), if(isNull(TargetFilename), if(isNull(name), _raw, name), TargetFilename), TargetObject)
| eval actor = coalesce(User, auid, process_name, "unknown")
| count by detection_branch, _sourceHost, actor, indicator
| sort by _count desc

high severity high confidence

Data Sources

Windows Sysmon (EventID 1, 11, 13) via Sumo Logic Windows source Windows Security Event Log (EventID 4657) via Sumo Logic Windows source Linux syslog (/var/log/syslog, /var/log/messages) via Sumo Logic installed collector Linux auditd logs via Sumo Logic installed collector macOS unified system log via Sumo Logic macOS source

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security _sourceCategory=linux/syslog _sourceCategory=linux/auditd _sourceCategory=macos/syslog

False Positives

Automated software deployment pipelines (Jenkins, GitLab CI, GitHub Actions self-hosted runners) that write scripts to SYSVOL or netlogon as part of GPO-based software distribution — correlate against CI/CD service account names.
Linux system administrators running configuration management (Ansible playbooks, Chef cookbooks) that legitimately install or update init scripts in /etc/init.d/ during scheduled maintenance windows.
Corporate macOS device enrollment processes using Jamf or similar MDM that configure login/logout hooks as standard endpoint management controls — baseline MDM agent PIDs and signing identities.

Google Chronicle / SecOps

yaral

rule t1037_boot_logon_initialization_scripts {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1037 Boot or Logon Initialization Script persistence on Windows, Linux, and macOS"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1037"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1037/"
    reference = "https://attack.mitre.org/techniques/T1037/"
    created = "2026-04-16"
    version = "1.0"

  events:
    (
      // Branch 1: Windows registry logon script persistence via UserInitMprLogonScript
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and (
          re.regex($e.target.registry.registry_key, `(?i).*\\Environment.*`)
          or re.regex($e.target.registry.registry_value_name, `(?i)UserInitMprLogonScript`)
        )
        and re.regex($e.target.registry.registry_key, `(?i)UserInitMprLogonScript|\\Environment`)
      )
      or
      // Branch 2: Script file dropped into Group Policy, SYSVOL, or netlogon directories
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i).*(GroupPolicy|SYSVOL|netlogon).*`)
        and re.regex($e.target.file.full_path, `(?i)\.(bat|cmd|vbs|ps1|js|wsf)$`)
      )
      or
      // Branch 3: Linux init/rc script created or modified
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)/etc/(rc\.d|init\.d|rc\.local|init/|rc[0-6]\.d)/.*`)
      )
      or
      // Branch 3b: Linux init script file modification event
      (
        $e.metadata.event_type = "FILE_MODIFICATION"
        and re.regex($e.target.file.full_path, `(?i)/etc/(rc\.d|init\.d|rc\.local|init/|rc[0-6]\.d)/.*`)
      )
      or
      // Branch 4: macOS login hook configured via defaults write command
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.principal.process.file.full_path, `(?i).*\/defaults$`)
          or $e.principal.process.file.basename = "defaults"
        )
        and re.regex($e.target.process.command_line, `(?i).*(LoginHook|LogoutHook).*`)
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.metadata.event_type = "REGISTRY_MODIFICATION", 85,
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i).*(GroupPolicy|SYSVOL|netlogon).*`), 80,
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), 75,
      if($e.metadata.event_type = "FILE_MODIFICATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), 70,
      if($e.metadata.event_type = "PROCESS_LAUNCH" and re.regex($e.target.process.command_line, `(?i).*(LoginHook|LogoutHook).*`), 80, 50)))))
    )
    $detection_branch = if($e.metadata.event_type = "REGISTRY_MODIFICATION", "Windows-LogonScript-Registry",
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i).*(GroupPolicy|SYSVOL|netlogon).*`), "Windows-StartupScript-FileCreate",
      if($e.metadata.event_type = "FILE_CREATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), "Linux-InitScript-FileCreate",
      if($e.metadata.event_type = "FILE_MODIFICATION" and re.regex($e.target.file.full_path, `(?i)/etc/(rc|init).*`), "Linux-InitScript-FileModify",
      if($e.metadata.event_type = "PROCESS_LAUNCH", "macOS-LoginHook-Configured", "Unknown")))))    
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $initiating_process = $e.principal.process.file.basename

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) ingestion from endpoint agents Google Chronicle SIEM with Windows event log forwarding Chronicle Linux log ingestion via Bindplane or forwarders Chronicle macOS event collection via Endpoint Detection agents Microsoft Defender for Endpoint via Chronicle integration

Required Tables

UDM events (REGISTRY_MODIFICATION) UDM events (FILE_CREATION) UDM events (FILE_MODIFICATION) UDM events (PROCESS_LAUNCH)

False Positives

Group Policy administrators legitimately creating or modifying batch/PowerShell scripts in SYSVOL or netlogon shares for domain-wide software deployment — create reference lists of authorized GPO admin accounts and exclude from rule or reduce risk score.
Linux package installation via apt/yum/dnf that adds service init scripts to /etc/init.d/ or /etc/rc.d/ — these should match known package management binary paths (dpkg, rpm, yum) and can be excluded using initiating process filtering.
macOS fleet management tools (Jamf Pro, Mosyle, Microsoft Intune) that configure login or logout hooks as part of standard device enrollment and policy enforcement — baseline MDM agent signatures and exclude by principal process identity.

CrowdStrike LogScale (CQL)

cql

// T1037 - Boot or Logon Initialization Scripts
// Detect Windows registry logon script, startup script file drops, Linux init script writes, and macOS login hook config

#event_simpleName in (RegGenericValueUpdate, RegGenericKeyCreate, RegValueUpdate, FileWritten, PeFileWritten, ProcessRollup2)

| case {
    // Branch 1: Windows registry logon script - UserInitMprLogonScript
    #event_simpleName in (RegGenericValueUpdate, RegGenericKeyCreate, RegValueUpdate)
    | regex(field=RegObjectName, regex="(?i)\\\\Environment\\\\UserInitMprLogonScript", strict=false)
    | eval DetectionBranch="Windows-LogonScript-Registry"
    | eval Indicator=RegObjectName ;

    // Branch 2: Script file written to GroupPolicy / SYSVOL / netlogon
    #event_simpleName in (FileWritten, PeFileWritten)
    | regex(field=TargetFileName, regex="(?i)(\\\\GroupPolicy\\\\|\\\\SYSVOL\\\\|\\\\netlogon\\\\)", strict=false)
    | regex(field=TargetFileName, regex="(?i)\.(bat|cmd|vbs|ps1|js|wsf)$", strict=false)
    | eval DetectionBranch="Windows-StartupScript-FileCreate"
    | eval Indicator=TargetFileName ;

    // Branch 3: Linux init/rc script file written
    #event_simpleName in (FileWritten)
    | regex(field=TargetFileName, regex="(?i)/etc/(rc\.d|init\.d|rc\.local|init/|rc[0-6]\.d)/", strict=false)
    | eval DetectionBranch="Linux-InitScript-FileWrite"
    | eval Indicator=TargetFileName ;

    // Branch 4: macOS defaults write LoginHook / LogoutHook
    #event_simpleName = ProcessRollup2
    | regex(field=ImageFileName, regex="(?i)(/usr/bin/defaults|/bin/defaults)$", strict=false)
    | regex(field=CommandLine, regex="(?i)(LoginHook|LogoutHook)", strict=false)
    | eval DetectionBranch="macOS-LoginHook-Configured"
    | eval Indicator=CommandLine ;

    // Exclude non-matching events
    *
    | eval DetectionBranch="_no_match"
}

| DetectionBranch != "_no_match"

| eval Actor=coalesce(UserName, UID, "unknown")
| eval Host=coalesce(ComputerName, aip, "unknown")

| table([timestamp, Host, Actor, DetectionBranch, #event_simpleName, Indicator, ImageFileName, CommandLine, ParentBaseFileName])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (Windows sensor) CrowdStrike Falcon for Linux (Linux sensor) CrowdStrike Falcon for macOS (macOS sensor) CrowdStrike Falcon LogScale (Humio) SIEM ingestion

Required Tables

Falcon telemetry: RegGenericValueUpdate Falcon telemetry: RegGenericKeyCreate Falcon telemetry: RegValueUpdate Falcon telemetry: FileWritten Falcon telemetry: PeFileWritten Falcon telemetry: ProcessRollup2

False Positives

Legitimate system administrators or Active Directory management tools (ADUC, GPMC, PowerShell RSAT modules) configuring UserInitMprLogonScript for domain users as an authorized policy deployment mechanism — alert volume should be low and restricted to admin workstations.
Software packaging tools (WiX, InstallShield, Inno Setup) that write PowerShell or batch scripts into GroupPolicy or netlogon paths as part of MSI or software installer deployments in enterprise environments.
Linux package managers (rpm, dpkg, apt) or configuration management agents (Puppet agent, Chef client) that write or update init scripts in /etc/init.d/ or /etc/rc.d/ as part of automated package installation or system provisioning workflows.

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1037 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Boot or Logon Initialization Scripts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Same Tactic: Persistence

Popular Detections